The expert view: Improving the skills gap in cyber security

28 November 2017
| Author: Shane Richmond

“Those that would attack us are working together globally and we must do the same,” said Gavin Kenny, Associate Partner at IBM, opening a recent Business Reporter breakfast briefing at the Ritz Hotel, in London. He told an audience of senior cyber security professionals that the industry faces a significant skills gap and proposed three key areas to focus on.

First, the industry needs to find more people who are able to talk to senior colleagues in a language that resonates with them. Gone are the days of a separate Security department that doesn’t understand the business – and that the business can’t understand in return.

Second, cyber security professionals need to do more to encourage schoolchildren and university students to consider a career in the sector, and also consider new collar workers, those coming back from a career break or taking a change in their career direction, into security teams with technical certifications not being the main focus but other skills that can be leveraged, such as human behavior and psychology.

Third, technology such as AI will change the nature of cyber security roles, for example Watson for Cyber Security already assisting analysts to investigate threats at unprecedented speed and accuracy thus alleviate some of the need for new people and supporting those with less training than previously required.

A more open Security department

Though people often talk about a cyber security skills shortage, that covers a broad area. There are, in fact, a range of roles that need to be filled. One often overlooked area, said an attendee from the banking sector, is in ‘soft skills’. These are vital when it comes to working closely with the rest of the business including the board but are frequently ignored in favour of ‘hard’ technical skills.

It’s no coincidence, added another attendee, that women are underrepresented in technology generally, and women typically possess more soft skills.

Those in the industry need to consider the image they project, too. One attendee said that her company has begun dropping acronyms from job ads because they put off people from elsewhere in the business that might otherwise apply. Attendees agreed that the ‘military style’ language cyber professionals use can seem intimidating, and this makes it harder to broaden the range of backgrounds in the sector.

Seeking the next generation

Mr. Kenny said IBM is already working with schools and universities to encourage young people to consider cyber security careers. However, it takes time to bring about change, with attitudes to who is suited to computing and technical subjects often fixed at a young age.

One message that needs to be relayed to schools, said an attendee, is that it is not just the naturally technical people who should be directed towards computing and engineering qualifications. Broadening the range of people who go through to university level is a vital part of acknowledging that IT is a wide industry that needs a mix of different talents.

This is crucial within businesses, too, said an attendee from the media sector. Risk and governance are transferable skills and someone who has developed those skills in, say, the financial side of the business, should be capable of using them in cyber security. However, they are often discouraged by the feeling that IT is for ‘computer nerds’.

For those who have taken a career break, for example to have children, IT can feel like a challenging sector to get back into. It’s a world that moves very quickly and a break of five years can make many women feel unable to return, said one delegate who works in the technology sector. Without support from the business, a lot of talent will be lost in people who take career breaks and never re-enter the sector.

Exacerbating the problem for working mums is the need for flexible working. For many, the majority of their salary is lost to childcare, so without flexibility there is little point in returning to work. Again, this leads to a form of ‘brain drain’.

Technology takes up some slack
The growth of artificial intelligence (AI) or Cognitive Security will deal with some of the skills shortage problems, said Mr. Kenny. AI systems can automate a lot of the repetitive tasks, such as looking for anomalies or even just keeping up with research and new breach reports, with the ability to tap into vast amounts of structured and unstructured data.

While that will reduce the need for humans in some roles, it is likely to put more emphasis on human analysts to determine which of the AI’s findings need to be acted on and according to what priority.

AI will probably develop in a similar way to cloud services, said an attendee, in that companies will buy in more of what they need and have fewer people managing processes in-house.

One attendee at the briefing said there has historically not been enough strategy in Security investments, with companies too often reacting to a problem and rushing to buy whatever software solution promises a fix. This leads to a selection of systems that don’t talk to one another and makes the job harder for staff. It was highlighted that IBM’s Security Immune system has been developed to allow security products from different venders to be integrated into a single solution making it easier to manage and more effective.

Overall it was agreed that while good progress being made to encourage children to think about Cyber Security as a career with the NCSC’s CyberFirst programme, more can be done to encourage those returning to work to consider Cyber Security by reducing the need for hard technical skills, and that automation and AI technologies have the potential to help reduce the need for deep technical knowledge, by providing insights quickly at the point of need.